If you think companies are out of the “cyber woods” in terms of risk, then you should think again.
The latest research from insurance organization, Aon Risk Solutions, finds 90% of senior executives saying cyber risk is “not fully understood”, while 80% say companies are actually less prepared for cyber attack than they think.
Add to that the fact that fewer than half (44%) of executive and non-executive directors consider reputation damage a significant business risk and you’ve got a cyber criminals’ charter. You might as well leave a sign on the server door saying “gone phishing”.
The evident lack of understanding and complacency in this increasingly critical area of corporate risk has a number of origins:
Discussion of cyber risk tends to be wrapped in riddles and technical terminology; terms such as threat, vulnerability and risk are mixed up and become generally confusing just when clarity is essential. The net effect is executives don’t understand and the argument passes them by. This can, inevitably, lead to poor decision making, a lack of protection and detection ahead of an incident and lack of capability to respond and recover effectively following an attack.
Recognizing what’s at stake:
Question: what is it you want to protect and what would be the impact of an attack if it rendered vital data or an organizational capability unavailable?
There can be a lack of understanding and naivety within an organization which can manifest itself in the belief that an organization has nothing worth attacking. However, every company is invariably part of a broader supply chain and cyber criminals might be more interested in getting to a bigger fish (your clients, your partners) through your cyber connections.
Many companies think that the answer to managing cyber risk lies in investing in more and more technology; while there is some great technology it needs to be balanced with good processes and making staff aware of the risks and what their role is in preventing an attack while responding and recovering from a live incident.
Failure to understand the risks can lead directly to ignorance and complacency about cyber risk. Some might believe the chance of being attacked is statistically low but it’s not advisable to stake your organization’s reputation on a bookie’s odds.
What must senior executives think about and do?
- You need to understand your level of cyber resilience and the balance that exists between A) protecting/detecting cyber attack and B) your capability to respond and recover when the worst happens; often, organizations focus on A and neglect B.
- Detect and protect is about trying to prevent an incident happening and detecting if someone has breached the network. Bear in mind, the most sophisticated attacks are difficult to prevent and detect.
- What can you do to respond and recover? It’s essential to have a plan in place, which includes communications. For example, when does a listed company tell the market it’s been compromised? Do you involve the police, which means needing to preserve evidence? Who should be involved in a recovery? It involves many more people in a business than just the IT department.
- What assets are critical? While some people might talk about information or servers, they also need to be looking at business capability and identifying the data and processes essential to remaining operational.
- Do you have an important client that is a potential target? If so, your company could be seen as a cyber “stepping stone” for criminals, which makes your organization as much a target and a risk to other companies. Therefore, you need to identify how you might be the weakest link in the overall supply chain.
- Ask the “so what?” question: what will happen if we do nothing? Understand the likely impact and encourage executives and non-executive directors to ask more difficult questions within the operational side of the business and challenge its level of preparedness.
- Do the basics very well – for example, have a good patching regime, change passwords regularly and train staff.
As a senior executive, you have an obligation to your company – its staff, customers and shareholders – to not be among the percentage who don’t understand cyber risk or whose organizations are unprepared for when (not if) an attack happens.
For more information on AXELOS' cyber resilience best practice, please see our RESILIA™ section.
Have you or your organization ever suffered a cyber attack on your systems or data? Do you currently have a policy or have specific measures in place to prevent or counter future cyber risks or security breaches? Please share your thoughts in the comments box below.
More AXELOS Blog Posts by Mark Logsdon
Preventing cyber attacks - it's a people thing as much as IT
The perils of cyber-attack – and the new solution
Have you heard the one about the three judges...? A Cyber story to be aware of
The War on Cyber: Protecting Ourselves Against Weaponization
Cyber resilience: protecting the network or the data?
Building cyber education for all